Меню

Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site.

Recently, we’ve come across another level of customization.

Fake Payment Form in Bulgarian

A compromised Magento site had the following script injected into its core_config_data table.

hxxps://elegrina[.]com/assets/<domain>.js, where <domain> was the second-level domain of the infected site.